https://github.com/osquery/osquery logo
Join Slack
Powered by
Windows Server 2019, Launcher + autoupdate stable....
# kolide
d
Windows Server 2019, Launcher + autoupdate stable. Trying to enroll in Fleet, seeing the folllowing: 
caller=level.go:63 level=info caller=extension.go:136 msg="extension interrupted" err="enrolling host: query enrollment details, (even with retries): done trying: query enrollment details: could not query the extension manager client: write field stop error: The pipe is being closed."
Any ideas?
j
Started getting this, figure it out yet?
d
Not yet - is yours from a fresh install? Stock Launcher / Fleet?
j
Mine is from so-launcher in SO 2.3.0, same msi worked on other hosts.
d
@seph Have you seen this before?
s
no, I don’t think I’ve seen that
I think that’s laucher saying it can’t talk to osquery. More logs might help. Are you running this in the foreground? It’s easier to get debug logs.
Or… A new launcher flag is 
debug_log_file
which will mirror the logs to a file. Handy for debugging windows services. Note that there’s no rotation, and it’s a noisy debug log.
j
Here's a pastebin with debug on: https://pastebin.com/b3DQ9xdU
Could it be a problem with osquery-extension.exe not properly launching or connecting to the named pipe?
@seph I posted some debug logs, does that give you any more clues?
d
Seeing this error again... Seems to be very intermittent
m
I am also seeing this error on some Server 2019 VMs. Anyone figure out what was going on?
d
@MarkMurdock Is that with Security Onion?
m
No in my case it's FleetDM on Ubuntu 20.04
And Server 2019 with Launcher + autoupdate
s
The error quote here just says launcher couldn’t talk to osquery. But it doesn’t say anything about why. Gotta dig through the prior logs to see what the error might be
Open in Slack
PreviousNext
Powered by